NIST-led group offers industrial cybersecurity requirements

Share this article:

An industry group led by the National Institute of Standards and Technology (NIST) has released a set of cybersecurity requirements for computer systems used to control industrial processes for water, electrical power, and other infrastructures.

Formed by NIST in 2001, the Process Control Security Requirements Forum has some 600 members, including users and vendors. The forum's draft document, "System Protection Profile (SPP) for Industrial Control Systems," is intended as baseline security requirements for new products and could be used by companies in procurement requests, said Keith Stouffer, forum chairman and mechanical engineer at NIST.

The requirements are designed to cover a variety of devices, including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and Programmable Logic Controllers (PLCs).

"Until recently, security wasn't really an issue because these systems were stand-alone and not connected to other networks," Stouffer said. "Today everything is so interconnected. Now they're vulnerable to everything on the internet."

A lot of industrial control systems now are using Microsoft software, so they are vulnerable to viruses targeting Windows, he added. Plus, many legacy systems were designed with relability in mind, not security.

Security requirements in the SPP include addressing security throughout the system's lifecycle, taking a defense-in-depth approach, authenticating users and data, encrypting certain information, and ensuring that products are secure out of the box rather than requiring the end user to implement security capabilities.

The SPP is a good first step for providing security guidelines to utilities, said Adam Lipson, president and CEO of consultancy Network & Security Technologies.

"In an effort to reduce operational costs, utilities are attempting to convert proprietary SCADA devices to lower cost IP-enabled systems.... Unfortunately, converting these to open systems has also created some new vulnerabilities," he said.

 

 

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

ISSA tackles workforce gap with career lifecycle program

ISSA tackles workforce gap with career lifecycle program ...

On Thursday, the group launched its Cybersecurity Career Lifecycle (CSCL) program.

Amplification DDoS attacks most popular, according to Symantec

Amplification DDoS attacks most popular, according to Symantec

The company noted in a whitepaper released on Tuesday that Domain Name Server amplification attacks have increased 183 percent between January and August.

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.